Privacy is a basic human right, defined in Article 12 of the Universal Declaration of Human Rights (see also Right to Privacy in the Digital Age). We should all be very concerned with invasions of our privacy, or where our privacy is not guaranteed. Or when our data is accessed illegally (as in PRISM) by foreign government agencies and then passed to our law enforcement agencies. Or when your data is invaded because somebody else uses your network and is under investigation. Or when your data simply falls into the wrongs hands because it’s been stored inadequately and has been accessed by a hacker (as happened to the Ashley Madison website). People don’t necessarily feel sorry for Ashley Madison – they quite rightly feel apathetic towards the company – but they certainly feel sympathetic to innocent users who had their accounts hacked (note it’s not our place to judge anyone’s guilt based on the services they use).

Now imagine instead that your ISP was hacked, and hackers revealed everyone who had accessed services such as Ashley Madison, or mental health services, or Lifeline/Beyondblue, or domestic violence help, or financial assistance, or family planning and abortion services, or drug rehabilitation services, alcoholics anonymous, gambling help online, or emergency food relief charities, or specialised legal services, or religious services, or other sensitive services a person might feel self-conscious about and rightly expect they have a right to privacy about. Virtually all of the services I just mentioned promise to provide either confidentiality or anonymity. If your data is stored by your ISP, by law, then it becomes a target for hackers. Once the data is obtained by a hacker (or a disgruntled employee) it can be mined and sold. Vulnerable people can be selectively targeted. For example, people suffering from gambling addition could have their details (their full name and email address) sent to advertisers who could then target everyone on the list with online gambling services. Identities can be stolen wholesale. This list of horrendous possibilities goes on. You might want privacy for all kinds of genuine reasons, but you need privacy in order to be able sure of your security as well as to access sensitive services that require anonymity or confidentiality. I highly suggest listening to the recent IQ2 debate Only The Wicked Need Fear Government Spying (seems to be unavailable as at 21/02/2018, check here).

Government spying is not legal in Australia. The metadata honey-pot for the various law enforcement agencies to access cannot legally be stored by any government agency – yet the Federal Government and law enforcement agencies wants this information stored indiscriminately by service providers so they can access it whenever they need it. Many have argued, including Malcolm Turnbull, that this data is “already available”. Well that’s not entirely true. If it was already available there would be no cost associated with storing it. The reality is the law forces ISPs and Telcos to store more data and for longer. For example all email providers have to now store metadata relating to your emails! That’s a list of everyone who you contact, and when, and everyone who contacts you, and when. You have no control whatsoever over what comes in to your email address! In Europe, where similar data retention laws were passed in several countries, the duration for the storing of metadata was usually much less than 2 years – typically around 6-12 months.

Europe is an interesting case. The European Union came up with a directive instructing member states to enact mandatory data retention by Telecommunication companies, after 8 years the directive was struck down by an EU Court by a finding that found that the directive was illegal. Across Europe, in response to the EU Directive, similar laws were passed, and in a number of countries they have since been retracted – and in many countries on constitutional grounds. The list of European countries I know about that had data retention laws struck down by a constitutional court includes Austria, Germany, Belgium, Bulgaria, Czech, Slovenia, Slovakia, Romania, Cyprus, and Argentina. Note that in the Slovenia ruling the court ordered Telcos to destroy retained data immediately! And that’s just a list of EU countries where it was revoked on constitutional grounds alone. The Netherlands scrapped their law, Hungary’s law may be struck down constitutionally, and the UK’s has been suspended by court order with a suspension on the suspension order until 31 March 2016! In the majority of cases in Europe VPNs were included along with ISPs in being forced to log data.

The United States, of course, does not have any mandatory data retention laws. Canada does, and the law appears to apply to VPNs as well as ISPs (it has not yet been tested in court).

So where does that leave us – here in Australia? Well our legislation is set to come into effect on October 7. It’s now widely viewed all across Europe, and in the USA, as a clear breach of privacy. Most Australians don’t understand what data is to be stored (see iiNet and journalist Quentin Dempster‘s article). ISPs, Email providers, and Telcos all now have to store “Metadata” in Australia. That’s right – even your email provider – so you can get a foreign email and the data won’t be stored, but if you use an Australia email provider from October 7, the provider is required to log all activity on your account. Local providers cannot compete evenly with overseas providers, who are able to offer greater protection for privacy not just for your emails, but also for voice calls. This could also push companies who host their websites in Australia overseas so they can avoid having their company email “medata” logged and stored by providers. The retained data can be accessed without a warrant, and for the reason of suspicion of any crime. The government argued there isn’t a need for a warrant because that’s for the content proper – however, iiNet points out the so-called “metadata” provides as much information (or more) as the content itself does. And mentioned earlier – your data may be accessed along with every else who used a shared internet connection (such as a family or workplace internet connection). Imagine this, there could be 6 people in your household, and one person for some reason becomes under suspicion of a crime by law enforcement. When the ISP data is accessed, everyone’s data is accessed at once – the one person under suspicion, and the five who are not. If you use public WiFi – that data also has to be logged and your data will be accessed when anyone who used it is under suspicion!

How to go about securing your privacy online will be the topic of my next post.

One comment on “Data retention: The invasion of privacy”

[…] your date of birth, or your home address if you have a mobile with them. It also highlights why the metadata laws are huge potential beach of your human rights, and your privacy. For example, it means that a […]